Perl Locale::Maketext Module Two Code Injection

by Carol~ Moderator - 12/7/12 6:22 AM

In Reply to: VULNERABILITIES / FIXES - December 07, 2012 by Carol~ Moderator

Perl Locale::Maketext Module Two Code Injection Vulnerabilities

Release Date : 2012-12-07

Criticality level : Moderately critical
Impact : System access
Where : From remote
Solution Status : Vendor Workaround

Software: Locale::Maketext 1.x (module for Perl)

Description:
Two vulnerabilities have been reported in Locale::Maketext module for Perl, which can be exploited by malicious users to compromise an application using the module.

The vulnerabilities are caused due to the "_compile()" function not properly sanitising input, which can be exploited to inject and execute arbitrary Perl code.

The vulnerabilities are reported in version 1.23. Prior versions may also be affected.

Solution:
Fixed in the GIT repository:

Provided and/or discovered by:
Brian Carlson of cPanel

Original Advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695224

http://secunia.com/advisories/51498/